It is widely known the FBI shut down the DNSChanger name servers as part of Operation Ghost Click in November of 2011.
What many people do not know is that the clean DNS servers which are operated by the Internet Systems Consortium (ISC) and used to replace the rogues will be shut down on March 8, 2012.
From the start, the US District Court for the Southern District of New York permitted the ISC to operate these servers for a period of 120 days. However, on February 17, 2012 the US government requested this deadline be extended to July 9, 2012.
Barring an extension from the FBI, those systems still infected with DNSChanger will cease receiving DNS services from the ISC controlled name servers on this date. In other words, they will not be able to properly access internet resources. This gives information security professionals less than two weeks to detect, locate and remediate any systems on their networks that are still infected.
The DNSChanger Working Group (DCWG) estimates there are still approximately 450,000 systems still infected as of January 28, 2012. Other statistics show that DNSChanger may be present in half of the Fortune 500 companies as well as at least 27 government organizations.[4,5,6]
In early February 2012 Internet Identity disclosed there were 3 million systems still infected globally.[5,6] This is a relatively small number of systems when compared to other virus outbreaks. Regardless it represents a challenge to security professionals.
This can be a substantial undertaking for large enterprises. The nature of DNSChanger was to redirect infected systems to malicious destinations. Many of these sites in turn installed additional malware. By finding a DNSChanger infected system you will be finding a system that has additional infections. This should justify the need for a thorough sweep for DNSChanger infections.
Luckily there are many resources available to detect and remediate DNSChanger infections. The easiest way is to utilize a network monitoring tool to isolate DNS traffic to the ISC operated DNS resolvers.
The offending netblocks are:[1,8]
188.8.131.52/20 (184.108.40.206 through 220.127.116.11)
18.104.22.168/20 (22.214.171.124 through 126.96.36.199)
188.8.131.52/21 (184.108.40.206 through 220.127.116.11)
18.104.22.168/24 (22.214.171.124 through 126.96.36.199)
188.8.131.52/20 (184.108.40.206 through 220.127.116.11)
18.104.22.168/20 (22.214.171.124 through 126.96.36.199)
What should you do if your organization owns an IP address listed above? If your organization does own one of these IP addresses the FBI should’ve contacted you. This provides organizations an opportunity to review their lines of communication and contact information. Review this process and ensure you have a clearly defined and efficient process for notifying security professionals when this happens.
How easy, or difficult, was it for the agent to get through to the correct person? If the FBI contacts someone in your organization you do not want them blindly transferred from one person to another until they eventually reach the right person. Think how that will reflect on your organizations professional reputation.
If they choose to contact you through email you do not want their message sitting in an abuse mailbox that is not checked on a regular basis. Security staff should be monitoring any/all abuse mailboxes within the organization. This is not something DNSChanger specific but rather a proactive process designed to address, and respond to, any complaints or notifications (i.e. copyright infringement notifications) that require immediate attention.
Furthermore, all contact information with various service providers; ISP’s, ARIN… should be verified to ensure the proper personnel are listed and their information is correct.
If you are unsure as to whether or not traffic associated with DNSChanger is on your network the DCWG, along with others, offers help to qualified organizations which can be found here. There are many other resources available to assist in detecting and remediating DNSChanger.
The FBI has published a paper with instructions on how to detect DNSChanger on individual systems. US-CERT has released another paper with instructions on how to remove a Trojan Horse or Virus. A number of countries have created sites to determine if a system is infected. These sites follow a standardized naming convention: http://dns-ok.CountryCode.
Here is a partial list:
http://dns-ok.us (United States)
Personnel should not view this as a “non-event”. This should be treated as, at the very least, a security incident. One of the purposes of DNSChanger was to redirect infected systems to malicious websites. Victims were then further infected. Trojan horse malware such as Zlob, TDSS, Alureon, TidServ, and TLD4 will most likely be present on DNSChanger infected systems. These too, will need to be remediated.
These additional infections are examples of sophisticated malware. They prevent systems from updating themselves, evade traditional anti-virus software, infect the systems master boot record (MBR) and install keyloggers. Highly sophisticated rootkits like those mentioned above are extremely difficult to remove.
Software vendors have developed ways to remove these rootkits. Some of the more popular removal tools are listed below, make sure to follow the vendors directions (Note: this is not to be construed as an endorsement by the author, InfosecIsland.com or any other website this article may appear on):
How to Remove the Trojan.DNSChanger Virus (YouTube video)
DNSChanger Trojan Horse (Mac & PC)
Microsoft Recovery Console (MS Windows XP)
The March 8th deadline should be treated as an opportunity for your organization. This is a unique situation that affords any enterprise the chance to learn and refine their processes and procedures. Like any other virus outbreak, this requires a coordinated effort between security professionals, systems administrators and other stakeholders.
Come March 9th a post mortem analysis with all involved parties should show your organizations incident response strengths and weaknesses, learn from it.